mirror images with oc-mirror in upgrade job

openshift · Jan 2, 2025 · e0bb981 · e0bb981
1 parent 348c832
commit e0bb981
Show file tree

Hide file tree

Showing 6 changed files with 323 additions and 0 deletions.
diff --git a/.../openshift-verification-tests-master__ota-amd64-stable-4.18-upgrade-from-stable-4.17.yaml b/.../openshift-verification-tests-master__ota-amd64-stable-4.18-upgrade-from-stable-4.17.yaml
@@ -0,0 +1,74 @@
+base_images:
+  ansible:
+    name: "4.17"
+    namespace: ocp
+    tag: ansible
+  cli:
+    name: "4.17"
+    namespace: ocp
+    tag: cli
+  dev-scripts:
+    name: test
+    namespace: ocp-kni
+    tag: dev-scripts
+  openstack-installer:
+    name: "4.17"
+    namespace: ocp
+    tag: openstack-installer
+  tests-private-postupg:
+    name: tests-private
+    namespace: ci
+    tag: "4.18"
+  tests-private-preupg:
+    name: tests-private
+    namespace: ci
+    tag: "4.17"
+  tools:
+    name: "4.17"
+    namespace: ocp
+    tag: tools
+  upi-installer:
+    name: "4.17"
+    namespace: ocp
+    tag: upi-installer
+  verification-tests:
+    name: verification-tests
+    namespace: ci
+    tag: latest
+releases:
+  latest:
+    release:
+      architecture: amd64
+      channel: fast
+      version: "4.17"
+  target:
+    release:
+      architecture: amd64
+      channel: candidate
+      version: "4.18"
+resources:
+  '*':
+    requests:
+      cpu: 100m
+      memory: 200Mi
+tests:
+- as: azure-ipi-disc-oidc-oc-mirror-f28
+  cron: 51 13 12 * *
+  steps:
+    cluster_profile: azure-qe
+    env:
+      BASE_DOMAIN: qe.azure.devcluster.openshift.com
+      EXTRACT_MANIFEST_INCLUDED: "true"
+      MIRROR_BIN: oc-mirror
+      MIRROR_GRAPH_DATA: "true"
+    test:
+    - ref: cucushift-upgrade-mirror-images-by-oc-mirror
+    - ref: cucushift-upgrade-prehealthcheck
+    - ref: cucushift-upgrade-toimage
+    - ref: cucushift-upgrade-healthcheck
+    workflow: cucushift-installer-rehearse-azure-ipi-disconnected-cco-manual-workload-identity
+zz_generated_metadata:
+  branch: master
+  org: openshift
+  repo: verification-tests
+  variant: ota-amd64-stable-4.18-upgrade-from-stable-4.17
diff --git a/...ator/jobs/openshift/verification-tests/openshift-verification-tests-master-periodics.yaml b/...ator/jobs/openshift/verification-tests/openshift-verification-tests-master-periodics.yaml
@@ -20261,6 +20261,80 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build01
+  cron: 51 13 12 * *
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: master
+    org: openshift
+    repo: verification-tests
+  labels:
+    ci-operator.openshift.io/cloud: azure4
+    ci-operator.openshift.io/cloud-cluster-profile: azure-qe
+    ci-operator.openshift.io/variant: ota-amd64-stable-4.18-upgrade-from-stable-4.17
+    ci.openshift.io/generator: prowgen
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-verification-tests-master-ota-amd64-stable-4.18-upgrade-from-stable-4.17-azure-ipi-disc-oidc-oc-mirror-f28
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=azure-ipi-disc-oidc-oc-mirror-f28
+      - --variant=ota-amd64-stable-4.18-upgrade-from-stable-4.17
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build05
   cron: 43 3 16 * *

diff --git a/ci-operator/step-registry/cucushift/upgrade/mirror-images/by-oc-mirror/OWNERS b/ci-operator/step-registry/cucushift/upgrade/mirror-images/by-oc-mirror/OWNERS
@@ -0,0 +1,10 @@
+approvers:
+  - jianlinliu
+  - jiajliu
+  - shellyyang1989
+  - jhou1
+reviewers:
+  - jiajliu
+  - jianlinliu
+  - shellyyang1989
+  - jhou1
diff --git a/...grade/mirror-images/by-oc-mirror/cucushift-upgrade-mirror-images-by-oc-mirror-commands.sh b/...grade/mirror-images/by-oc-mirror/cucushift-upgrade-mirror-images-by-oc-mirror-commands.sh
@@ -0,0 +1,124 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+trap 'CHILDREN=$(jobs -p); if test -n "${CHILDREN}"; then kill ${CHILDREN} && wait; fi' TERM
+# save the exit code for junit xml file generated in step gather-must-gather
+# pre configuration steps before running installation, exit code 100 if failed,
+# save to install-pre-config-status.txt
+# post check steps after cluster installation, exit code 101 if failed,
+# save to install-post-check-status.txt
+EXIT_CODE=100
+trap 'if [[ "$?" == 0 ]]; then EXIT_CODE=0; fi; echo "${EXIT_CODE}" > "${SHARED_DIR}/install-pre-config-status.txt"' EXIT TERM
+
+export HOME="${HOME:-/tmp/home}"
+export XDG_RUNTIME_DIR="${HOME}/run"
+export REGISTRY_AUTH_PREFERENCE=podman # TODO: remove later, used for migrating oc from docker to podman
+mkdir -p "${XDG_RUNTIME_DIR}"
+
+function run_command() {
+    local CMD="$1"
+    echo "Running command: ${CMD}"
+    eval "${CMD}"
+}
+
+# private mirror registry host
+# <public_dns>:<port>
+MIRROR_REGISTRY_HOST=$(head -n 1 "${SHARED_DIR}/mirror_registry_url")
+echo "MIRROR_REGISTRY_HOST: $MIRROR_REGISTRY_HOST"
+echo "OPENSHIFT_UPGRADE_RELEASE_IMAGE_OVERRIDE: ${OPENSHIFT_UPGRADE_RELEASE_IMAGE_OVERRIDE}"
+
+# target release
+target_release_image="${MIRROR_REGISTRY_HOST}/${OPENSHIFT_UPGRADE_RELEASE_IMAGE_OVERRIDE#*/}"
+target_release_image_repo="${target_release_image%:*}"
+target_release_image_repo="${target_release_image_repo%@sha256*}"
+echo "target_release_image_repo: $target_release_image_repo"
+
+# since ci-operator gives steps KUBECONFIG pointing to cluster under test under some circumstances,
+# unset KUBECONFIG to ensure this step always interact with the build farm.
+unset KUBECONFIG
+oc registry login
+
+run_command "which oc"
+run_command "oc version --client"
+oc_mirror_dir=$(mktemp -d)
+pushd "${oc_mirror_dir}"
+new_pull_secret="${oc_mirror_dir}/new_pull_secret"
+
+# combine custom registry credential and default pull secret
+registry_cred=$(head -n 1 "/var/run/vault/mirror-registry/registry_creds" | base64 -w 0)
+cat "${CLUSTER_PROFILE_DIR}/pull-secret" | python3 -c 'import json,sys;j=json.load(sys.stdin);a=j["auths"];a["'${MIRROR_REGISTRY_HOST}'"]={"auth":"'${registry_cred}'"};j["auths"]=a;print(json.dumps(j))' > "${new_pull_secret}"
+
+#Because user does not have permission to update subgid and subuid file, so use another workaround.
+ocp_version=$(oc adm release info ${OPENSHIFT_UPGRADE_RELEASE_IMAGE_OVERRIDE} -ojsonpath='{.metadata.version}' | cut -d. -f 1,2)
+ocp_minor_version=$(echo "${ocp_version}" | awk --field-separator=. '{print $2}')
+if ((ocp_minor_version > 17)); then
+    echo "export TEST_E2E=true to workaournd OCPBUGS-43986"
+    export TEST_E2E=true
+fi
+
+oc_mirror_bin="oc-mirror"
+run_command "'${oc_mirror_bin}' version --output=yaml"
+
+# set the imagesetconfigure
+image_set_config="image_set_config.yaml"
+cat <<END | tee "${image_set_config}"
+kind: ImageSetConfiguration
+apiVersion: mirror.openshift.io/v2alpha1
+mirror:
+  platform:
+    release: ${OPENSHIFT_UPGRADE_RELEASE_IMAGE_OVERRIDE}
+    graph: ${MIRROR_GRAPH_DATA}
+END
+
+# https://github.com/openshift/oc-mirror/blob/main/docs/usage.md#authentication
+# oc-mirror only respect ~/.docker/config.json -> ${XDG_RUNTIME_DIR}/containers/auth.json
+mkdir -p "${XDG_RUNTIME_DIR}/containers/"
+cp -rf "${new_pull_secret}" "${XDG_RUNTIME_DIR}/containers/auth.json"
+
+unset REGISTRY_AUTH_PREFERENCE
+
+# execute the oc-mirror command
+run_command "'${oc_mirror_bin}' -c ${image_set_config} docker://${target_release_image_repo} --dest-tls-verify=false --v2 --workspace file://${oc_mirror_dir}"
+
+# Save output from oc-mirror
+result_folder="${oc_mirror_dir}/working-dir"
+idms_file="${result_folder}/cluster-resources/idms-oc-mirror.yaml"
+itms_file="${result_folder}/cluster-resources/itms-oc-mirror.yaml"
+
+if [ ! -s "${idms_file}" ]; then
+    echo "${idms_file} not found, exit..."
+    exit 1
+else
+    run_command "cat '${idms_file}'"
+    run_command "cp -rf '${idms_file}' ${SHARED_DIR}"
+    run_command "oc apply -f '${idms_file}'"
+fi
+
+if [ -s "${itms_file}" ]; then
+    echo "${itms_file} found"
+    run_command "cat '${itms_file}'"
+    run_command "cp -rf '${itms_file}' ${SHARED_DIR}"
+fi
+
+if [[ "${MIRROR_GRAPH_DATA}" == "true" ]]; then
+    us_file="${result_folder}/cluster-resources/updateService.yaml"
+    if [ ! -s "${us_file}" ]; then
+        echo "${us_file} not found, exit..."
+        exit 1
+    else
+        run_command "cat '${us_file}'"
+        run_command "cp -rf '${us_file}' ${SHARED_DIR}"
+    fi
+    sig_folder="${oc_mirror_dir}/signatures"
+    if [[ -z "${sig_folder}" ]]; then
+        echo "signatures not found, exit..."
+        exit 1
+    fi
+    oc apply -f "${sig_folder}"
+fi
+
+# Ending
+rm -f "${new_pull_secret}"
diff --git a/...mirror-images/by-oc-mirror/cucushift-upgrade-mirror-images-by-oc-mirror-ref.metadata.json b/...mirror-images/by-oc-mirror/cucushift-upgrade-mirror-images-by-oc-mirror-ref.metadata.json
@@ -0,0 +1,17 @@
+{
+	"path": "cucushift/upgrade/mirror-images/by-oc-mirror/cucushift-upgrade-mirror-images-by-oc-mirror-ref.yaml",
+	"owners": {
+		"approvers": [
+			"jianlinliu",
+			"jiajliu",
+			"shellyyang1989",
+			"jhou1"
+		],
+		"reviewers": [
+			"jiajliu",
+			"jianlinliu",
+			"shellyyang1989",
+			"jhou1"
+		]
+	}
+}
diff --git a/.../upgrade/mirror-images/by-oc-mirror/cucushift-upgrade-mirror-images-by-oc-mirror-ref.yaml b/.../upgrade/mirror-images/by-oc-mirror/cucushift-upgrade-mirror-images-by-oc-mirror-ref.yaml
@@ -0,0 +1,24 @@
+ref:
+  as: cucushift-upgrade-mirror-images-by-oc-mirror
+  from: oc-mirror
+  cli: target
+  grace_period: 10m
+  commands: cucushift-upgrade-mirror-images-by-oc-mirror-commands.sh
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+  env:
+  - name: MIRROR_GRAPH_DATA
+    default: "false"
+    documentation: |-
+      Determin if generate osus resource and mirror graph-data image
+  credentials:
+  - namespace: test-credentials
+    name: openshift-custom-mirror-registry
+    mount_path: /var/run/vault/mirror-registry
+  dependencies:
+  - name: "release:target"
+    env: "OPENSHIFT_UPGRADE_RELEASE_IMAGE_OVERRIDE"
+  documentation: |-
+    Mirror release image to local image registry.